{"id":15948,"date":"2026-03-12T07:06:13","date_gmt":"2026-03-12T07:06:13","guid":{"rendered":"https:\/\/newestek.com\/?p=15948"},"modified":"2026-03-12T07:06:13","modified_gmt":"2026-03-12T07:06:13","slug":"ai-use-is-changing-how-much-companies-pay-for-cyber-insurance","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15948","title":{"rendered":"AI use is changing how much companies pay for cyber insurance"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

In July 2025, McDonald\u2019s had an unexpected problem on the menu, one involving McHire, its AI-powered platform used to recruit and screen job applicants. The system, developed by Paradox.ai, featured a rookie-level security flaw: the backend for restaurant operators accepted \u201c123456\u201d as both username and password<\/a>, and lacked multi-factor authentication. As a result, the personal data of around 64 million applicants was in danger. Luckily, the flaw was uncovered<\/a> by security researchers Ian Carroll and Sam Curry, who notified the company.<\/p>\n

With organizations rushing to deploy AI tools without fully auditing them, incidents like this are not uncommon. AI adoption is moving faster than AI security and governance, according to an IBM report<\/a>. Last year, 13% of organizations reported breaches involving AI models or applications, while another 8% said they don\u2019t even know whether those systems have been compromised.<\/p>\n

And insurers know that. Many have tightened policy language, raised premiums, and carved out explicit exclusions for certain AI-related incidents, an effort that aims to limit exposure to risks that are poorly understood. A survey by Delinea<\/a> found that 42% of respondents said their cyber insurance policies now include exclusions tied to AI misuse and liability.<\/p>\n

Yet the picture is not entirely one-sided. Insurers are also rewarding stronger defenses: 86% of organizations say they have received premium discounts or credits for using AI-based security tools that bolster their security posture.<\/p>\n

\u201cAI is both a risk and an opportunity,\u201d says Nate Spurrier, vice president of insurance and counsel strategy at GuidePoint Security.<\/p>\n

Cyber insurers are changing how they judge risk<\/h2>\n

As AI becomes more deeply embedded across business operations \u2014 and increasingly exploited by attackers \u2014 cyber insurers are rethinking how they evaluate risk. Many are now moving beyond checkbox questionnaires and self-attestations, asking for evidence that security controls are actively monitored, tested and enforced. According to the Delinea report, 77% of insurers now require formal reviews by internal and IT security teams before issuing or renewing coverage, up from 56% a year ago.<\/p>\n

But even those reviews are no longer enough on their own. \u201cLeading cyber insurers have moved away from moment-in-time application forms toward continuous assessment of an organization\u2019s attack surface and controls,\u201d says Michael Phillips, Coalition\u2019s head of global cyber portfolio underwriting.<\/p>\n

In addition to underwriting and settling claims, Coalition also bundles cybersecurity services with its cyber insurance offerings. Policyholders gain access to tools that continuously monitor internet-facing systems for vulnerabilities and alerts, alongside expert guidance and threat intelligence. The idea is to reduce the frequency and severity of claims, by linking a company\u2019s security posture directly to its insurance coverage.<\/p>\n

And as AI touches many corners of modern business operations, that heightened scrutiny now extends to how companies use and govern the technology. \u201cInsurance carriers are wanting to know how policyholders and applicants are using AI within their organization: what controls are in place, how AI is being used and for what specific tasks, who is allowed to use it, and whether it\u2019s simply an efficiency tool or a core part of the end solution being offered to clients,\u201d says Spurrier.<\/p>\n

Changes to coverage and language<\/h2>\n

Now that AI is everywhere, insurers are rewriting their contracts to be much more specific about what\u2019s covered and what\u2019s not. Some have introduced affirmative AI endorsements, others have added exclusions, because AI risks can be unpredictable and potentially large-scale, and insurers don\u2019t want to be on the hook for losses they can\u2019t accurately price.<\/p>\n

Crafting the right policy language for a fast-evolving technology is a complex task. \u201cRight now, insurers don\u2019t have enough claims data to fully understand what language and components of AI risk should be targeted, so some carriers are using broad exclusions out of caution,\u201d Spurrier says.<\/p>\n

Yet that caution can be detrimental for organizations. \u201cAI is now an expected component of a successful cyber attack, and it\u2019s not always easy to discern what was created by AI or not,\u201d says Philips. \u201cIf a policy excludes any AI\u2011related loss, an insurer could argue that a classic ransomware claim is out of scope simply because AI was used as part of the attack process.\u201d<\/p>\n

The issue is compounded by how policies have evolved. Many were written before generative AI went mainstream. Insurers later added AI-related language, layering new terms onto older contracts. This patchwork approach can create confusion. \u201cIf that wording isn\u2019t explained clearly, policyholders may assume they have the same protection as before, but they do not,\u201d Philips says.<\/p>\n

Businesses and their brokers need to read policy language closely and talk through how it would actually work in practice. That means discussing specific AI-related scenarios with their brokers before renewal and seeing how they might affect different types of coverage.<\/p>\n

\u201cOne scenario may not impact some lines of insurance and then show up as excluded in another line of insurance,\u201d Spurrier says. \u201cThe time to clarify your AI coverage isn\u2019t during a claim, but during renewal and other pre-incident scenarios.\u201d<\/p>\n

Bringing costs down for companies<\/h2>\n

Some companies that prove they have a good security posture can lower their insurance costs. To do that, they need to demonstrate that they\u2019re using AI-driven tools to spot anomalies early or cut response times from hours to minutes. \u201cFor insurers, that means smaller claims and faster recovery,\u201d Spurrier says.<\/p>\n

Discounts are usually offered to businesses that have strong, round-the-clock security in place. \u201cDetection solutions like EDR (endpoint detection and response<\/a>) are now widely expected by insurance carriers, and the next step is to continuously monitor the alerts generated so that action can be taken quickly,\u201d Spurrier adds.<\/p>\n

In the near future, AI-powered defenses may become mandatory for coverage, much like multi-factor authentication and endpoint detection and response tools are today. This means that companies that lag behind may find themselves at a disadvantage. \u201cIf you\u2019re relying on legacy tools, expect higher premiums or limited coverage,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

In July 2025, McDonald\u2019s had an unexpected problem on the menu, one involving McHire, its AI-powered platform used to recruit and screen job applicants. The system, developed by Paradox.ai, featured a rookie-level security flaw: the backend for restaurant operators accepted \u201c123456\u201d as both username and password, and lacked multi-factor authentication. As a result, the personal data of around 64 million applicants was in danger. Luckily,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15948","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15948"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15948\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}